The Perils of Mobile App Insecurity
It is a well-known trick that if you want to slip something by unsuspecting users, first publish an innocuous app and then push out an update with something major changed with the permissions, said Mojave Networks' Ryan Smith. To protect against that threat, look closely at the permissions on app updates. "It makes sense if you are not comfortable with the permissions to uninstall the app."
Feb 4, 2014 9:33 PM PT
Smartphones and tablets have become ubiquitous -- and so convenient that we often download apps and approve permissions without giving them much thought. Such behavior exposes the data we store on our prized devices to increasing risk.
That blind trust is just what app makers count on. Android users, especially, are complacent about synchronizing apps on multiple devices. Even worse is the practice of linking bank and social networking accounts with cloud storage so that a conduit is always open that connects our data from phones, tablets and computers.
Personal information can leak from mobile phones and tablets through the apps we install. Many of the apps we use mine our contact lists, locations and personal information that the app makers sell or use for marketing campaigns.
"For some mobile app developers, gathering and selling user information is half of the business model," Rick Sizemore, Director of the cloud computing practice at Alsbridge, told LinuxInsider.
Wild West Wasteland
The potential for hacking sensitive information is especially high when portable devices are used in enterprise settings. Encrypting the data is helpful, but many workplaces lack adequate IT support to make smartphones and tablets more secure, according to Sizemore.
In any case, "those measures will not prevent individual apps from collecting personal information and sending it to the vendors' server. That situation is the Wild West of mobile devices. With Google (Android) devices, it is even more of a Wild West situation," he said.
Users need to realize that with many of the apps on their devices, all the information they store on the device -- including every place they go -- is collected and sent by more than one app, warned Sizemore.
That is often the motivation in offering free aps that otherwise have no money stream as a payout. The app designers gather all that information and sell it.
Matter of Trust
One big difference between Android and other mobile OSes is the trust factor with installed applications. Android trusts users to accept what they install. It is up to the user to decide which permissions to give to each application, explained Ryan Smith, threat engineer at Mojave Networks.
"Android also gives users the option of downloading from a third-party site. Unlike Apple, Google is not being the arbiter in deciding what applications you can or can not install the way Apple has done," Smith told LinuxInsider.
This is not necessarily a vulnerability in Android, but it is something that the user has to be aware of and look out for, he added.
Depending on the apps that users download, the risks of malware and virus attacks can run the gamut. There is some Android malware, but it tends to be more prevalent in regions outside the U.S. and Europe, Smith said.
It is more isolated within China, other parts of Asia and Russia. Attacks are not exclusive to those regions, but Android malware is not prevalent in other areas, he explained.
Similar to attacks on computer systems, some mobile OSes pose richer targets than others. This brings into play the popularity factor.
Android is a popular target in the mobile world, just like Microsoft is an easy target in the PC world. They both are the predominant operating systems in their categories, according to Jack Walsh, mobility program manager at ICSA Labs.
"The malware writers are going to spend the most time where they can get the best returns. Attackers are going to be able to exploit any mobile operating system. It is just right now that they are concentrating more on Android," Walsh told LinuxInsider.
With Microsoft being the latest platform entry for mobile users, the jury is still out on whether Windows apps that run on that platform will be safer or more prone to attacks, offered Smith.
Apple is better at vetting its app files in its download store. It is easier to fool the system with an Android apk (application package file), Sizemore added.
Apps Threaten OS
With smartphones and tablets, more risk comes from insecure apps than vulnerabilities in the mobile OS itself. In the case of Android, its granular permission structure puts each application into a sandbox. This keeps every app separate from all other running apps in terms of privileges, explained Smith.
"In some newer versions, the apps provide encryption, so they have a lot of security to them. It boils down to trusting the applications you want to install," he said.
It is a well-known trick that if you want to slip something by unsuspecting users, first publish an innocuous app and then push out an update with something major changed with the permissions, Smith said. To protect against that threat, look closely at the permissions on app updates.
"It makes sense if you are not comfortable with the permissions to uninstall the app," noted Smith.
Another Threat Level
The majority of attacks on mobile devices are fraudulent banking apps. Once they get slipped into app stores, you can not tell them apart from the real apps, according to Walsh.
"The goal is to get these copycat apps into consumers' hands. When the user inputs account information, instead of being transmitted to the real bank, they go to fraudulent servers," he said.
Beyond malware, there are additional risks that fall into the gray area. These risks do not result from bad intentions or from apps being written by bad people, Smith added.
"The app weaknesses do, nevertheless, pose a risk to the businesses. This may not be as great of a risk as malware, but it still poses a risk," he said.
Ripe for Picking
Adware is becoming more prevalent with mobile devices due to the information apps collect. This can include the location of the user, the phone the person is using, and some of the information on the phone about the user, warned Smith.
"Sometimes this personal information leaks from the phone as part of the vendors' attempts to track the user for targeted ads," he said. "These information leaks are lower risks than malware, but they still pose a concern and are becoming more prevalent."
Overzealous mining of users' data is a matter of vendor ethics. Legitimate vendors are less likely to broker mined personal information inappropriately, noted Smith.
One tool mobile device users can employ is a first-rate security scanner application, suggested Mojave Networks's Smith, who recommended looking around for a security app that would provide a fine granular approach to classifying threats.
"You need more than a security app that just says that the scan showed no malware. You need one that categorizes the level of the risks," he said.
Due diligence goes a long way when selecting a mobile application, added ICSA Labs' Walsh. Make sure the mobile app developer is legitimate, trustworthy and has a history of quality app development, he urged.
Another good due diligence step is to check if the app developer follows testing and certification practices. This is particularly important when an employer deploys mobile devices to a workforce.
Perhaps one of the most significant pieces of advice for mobile device users is to not download apps from lesser- known app stores, added Walsh. Measure the risks and decide if you want to take that risk.
"I'm not trying to say that every single source is disreputable. I'm saying that it is probably in your best interest to just look on Amazon or Google. But even when you do that, be aware of what you are downloading," he cautioned.
Making it tougher on the bad guys is also a critical self-protection step. For instance, use a PIN of more than six digits. Having a PIN is better than not having a PIN. Even better is having a drawn figure or pattern, added Sizemore.
"Users should encrypt their data so a password is needed to decrypt it," he said. "Do not use the same decryption code for every instance."